This listing of claims will replace all prior versions, and listings, of claims in the 
application: 
LISTING OF CLAIMS : 

1. (Currently Amended) A method for enabling a firewall to securely pass 
encrypted data, the method comprising: 

detecting an exchange of a first encryption key between a host device and 
a remote device, wherein the first encryption key supports 
confidentiality protection of first data exchanged between the host 
device and the remote device according to a fist first security policy; 

exchanging a second encryption key with the host device when the 
exchange of the first encryption key is detected, wherein the 
exchange of the second encryption key supports confidentiality 
protection of second data exchanged between the firewall and the 
host device according to a second security policy; 

requesting at the firewall based at least in part upon the second security 
policy, the first encryption key from the host device ; wherein the 
first encryption key is sent under the protection of the second 
encryption key and in accordance with the second security policy; 
and 

passing encrypted data when it is determined that the first encryption key 
is received, 

2, (Original) The method of claim 1 , further comprising: 
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not allowing encrypted data to pass when it is detemriined that the first 
encryption key is not received. 



3. (Original) The method of claim 1 , wherein the step of detecting an exchange of a 
first encryption key further comprises: 

monitoring Internet Key Exchange (IKE) protocol data traffic to determine 
whether the first encryption key is exchanged. 

4. (Currently Amended) A method for enabling a firewall to selectively monitor 
encrypted data traffic, the method comprising: 

detecting an exchange of a first encryption key between a host device and 
a remote device, wherein the first encryption key enables 
confidentiality protection of first data exchanged between the host 
device and the remote device according to a first security policy; 

exchanging a second encryption key with the host device when the 
exchange of the first key is detected, wherein the exchange of the 
second encryption key enables confidentiality protection of second 
data exchanged between the firewall and the host device according 
to a second security policy; 

requesting at the firewall , based at least in part upon the second security 
policy, the first encryption key from the host device wherein the first 
encryption key is sent under the protection of the second encryption 
key and in accordance with the second security policy; and 
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decrypting encrypted data, using the first encryption key, according to a 
predetermined monitoring policy. 

(Currently Amended) A metliod for enabling a firewall to selectively pass 
protocols and services, the method comprising: 

detecting an exchange of a first encryption key between a host device and 
a remote device, wherein the first encryption key supports 
confidentiality protection of first data exchanged between the host 
device and the remote device according to a first security policy; 

exchanging a second encryption key with the host device when the 
exchange of the first encryption key is detected, wherein the 
exchange of the second encryption key supports confidentiality 
protection of second data exchanged between the firewall and the 
host device according to a second security policy; 

requesting at the firewall , based at least in part upon the second security 
policy, the first encryption key from the host device , wherein the 
first encryption key is sent under the protection of the second 
encryption key and in accordance with the second security policy; 

decrypting encrypted data, using the first encryption key; and 

applying a predetermined filtering policy to the decrypted data. 

(Original) The method of claim 5, further comprising: 
re-encrypting the decrypted data. 



7. (Currently Amended) A firewall apparatus that securely passes encrypted data, 
the apparatus comprising: 

an exchange detector for detecting an exchange of a first encryption key 
between a host device and a remote device, wherein the first 
encryption key supports confidentiality protection of first data 
exchanged between the host device and the remote device 
according to a first security policy; 

a key exchanger for exchanging a second encryption key with the host 
device when the exchange of the first encryption key is detected, 
wherein the exchange of the second encryption key supports 
confidentiality protection of second data exchanged between the 
firewall and the host device according to a second security policy; 

a key requestor for requesting at the firewall , based at least in part upon 
the second security policy, the first encryption key from the host 
device ; wherein the first encryption key is sent under the protection 
of the second encryption key and in accordance with the second 
security policy; and 

an encrypted data passer for passing encrypted data when it is 
determined that the first encryption key is received. 

8. (Original) The apparatus of claim 7, further comprising: 

an encrypted data blocker for not allowing encrypted data to pass when it 
is detennined that the first encryption key is not received. 
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9. (Original) The apparatus of claim 7, wherein the exchange detector further 
comprises: 

a monitor for monitoring Internet Key Exchange (IKE) protocol data traffic 
to determine whether the first encryption key is exchanged. 

1 0. (Currently Amended) A firewall apparatus for selectively monitoring encrypted 
data traffic, the apparatus comprising: 

an exchange detector for detecting an exchange of a first encryption key 
between a host device and a remote device, wherein the first 
encryption key enables confidentiality protection of first data 
exchanged between the host device and the remote device 
according to a first security policy; 

a key exchanger for exchanging a second encryption key with the host 
device when the exchange of the first key is detected, wherein the 
exchange of the second encryption key enables confidentiality 
protection of second data exchanged between the firewall and the 
host device according to a second security policy; 

a requestor for requesting at the firewall , based at least in part upon the 
second security policy, the first encryption key from the host device 
wherein the first encryption key is sent under the protection of the 
second encryption key and in accordance with the second security 
policy; and 

a decryptor for decrypting encrypted data, using the first encryption key, 
according to a predetermined monitoring policy. 
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1 1 . (Currently Amended) A firewall apparatus for selectively passing protocols and 
services, the method comprising: 

an exchange detector for detecting an exchange of a first encryption key 
between a host device and a remote device, wherein the first 
encryption key supports confidentiality protection of first data 
exchanged between the host device and the remote device 
according to a first security policy; 

a key exchanger for exchanging a second encryption key with the host 
device when the exchange of the first encryption key is detected, 
wherein the exchange of the second encryption key supports 
confidentiality protection of second data exchanged between the 
firewall and the host device according to a second security policy; 

a requestor for requesting at the firewall based at least in part upon the 
second security policy, the first encryption key from the host device , 
wherein the first encryption key is sent under the protection of the 
second encryption key and in accordance with the second security 
policy; 

a decryptor for decrypting encrypted data, using the first encryption key; 
and 

a filter for applying a predetermined filtering policy to the decrypted data. 
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(Original) The apparatus of claim 1 1 , further comprising: 
an encryptor for re-encrypting the decrypted data. 



